Most providers require you to sign up for a so called API client or app,
containing a client ID and API secret. You must add a SocialApp
record per provider via the Django admin containing these app
credentials.

When creating the OAuth app on the side of the provider pay special
attention to the callback URL (sometimes also referred to as redirect
URL). If you do not configure this correctly, you will receive login
failures when attempting to log in, such as:

While testing you can leave the RedirectURIs field empty in the dashboard. You can specify what identity details to request via the SCOPE parameter.

SOCIALACCOUNT_PROVIDERS={'authentiq':{'SCOPE':['email','aq:name']}}

Valid scopes include: email, phone, address, aq:name, aq:location. The default is to request a user’s name, and email address if SOCIALACCOUNT_QUERY_EMAIL=True. You can request and require a verified email address by setting SOCIALACCOUNT_EMAIL_VERIFICATION=True and SOCIALACCOUNT_EMAIL_REQUIRED=True.

Note that in order to use battletags as usernames, you are expected to override
either the username field on your User model, or to pass a custom validator
which will accept the # character using the ACCOUNT_USERNAME_VALIDATORS
setting. Such a validator is available in
socialaccount.providers.battlenet.validators.BattletagUsernameValidator.

Register your application at https://developers.eveonline.com/applications/create.
Note that if you have STORE_TOKENS enabled (the default), you will need to
set up your application to be able to request an OAuth scope. This means you
will need to set it as having “CREST Access”. The least obtrusive scope is
“publicData”.

Log in and click your profile name in the top right navigation, then select
AccountSettings. Choose AppManagement near the bottom of the left
navigation column. You can then click CreateANewApp on the upper left
corner.

For Facebook both OAuth2 and the Facebook Connect Javascript SDK are
supported. You can even mix the two.

An advantage of the Javascript SDK may be a more streamlined user
experience as you do not leave your site. Furthermore, you do not need
to worry about tailoring the login dialog depending on whether or not
you are using a mobile device. Yet, relying on Javascript may not be
everybody’s cup of tea.

By default, the email scope is required depending on whether or not
SOCIALACCOUNT_QUERY_EMAIL is enabled.
Apps using permissions beyond email, public_profile and user_friends
require review by Facebook.
See Permissions with Facebook Login
for more information.

AUTH_PARAMS:

Use AUTH_PARAMS to pass along other parameters to the FB.login
JS SDK call.

FIELDS:

The fields to fetch from the Graph API /me/?fields= endpoint.
For example, you could add the 'friends' field in order to
capture the user’s friends that have also logged into your app using
Facebook (requires 'user_friends' scope).

EXCHANGE_TOKEN:

The JS SDK returns a short-lived token suitable for client-side use. Set
EXCHANGE_TOKEN=True to make a server-side request to upgrade to a
long-lived token before storing in the SocialToken record. See
Expiration and Extending Tokens.

LOCALE_FUNC:

The locale for the JS SDK is chosen based on the current active language of
the request, taking a best guess. This can be customized using the
LOCALE_FUNC setting, which takes either a callable or a path to a callable.
This callable must take exactly one argument, the request, and return a
valid Facebook locale as a string, e.g. US English:

It is not clear from the Facebook documentation whether or not the fact
that the account is verified implies that the e-mail address is verified
as well. For example, verification could also be done by phone or credit
card. To be on the safe side, the default is to treat e-mail addresses
from Facebook as unverified. But, if you feel that is too paranoid, then
use this setting to mark them as verified. Due to lack of an official
statement from the side of Facebook, attempts have been made to
reverse engineer the meaning of the verified flag.
Do know that by setting this to True you may be introducing a security
risk.

VERSION:

The Facebook Graph API version to use. The default is v2.12.

App registration (get your key and secret here)

A key and secret key can be obtained by
creating an app.
After registration you will need to make it available to the public.
In order to do that your app first has to be
reviewed by Facebook.

Development callback URL

Leave your App Domains empty and put http://localhost:8000 in the
section labeled WebsitewithFacebookLogin. Note that you’ll need to
add your site’s actual domain to this section once it goes live.

The Firefox Accounts provider is currently limited to Mozilla relying services
but there is the intention, in the future, to allow third-party services to
delegate authentication. There is no committed timeline for this.

Requested OAuth2 scope. Default is [‘profile’], which will work for
applications on the Mozilla trusted whitelist. If your application is not
on the whitelist, then define SCOPE to be [‘profile:email’, ‘profile:uid’].

By default, you will have access to the openid, profile, and offline_access
scopes. With the offline_access scope, the API will provide you with a
refresh token. For additional scopes, see the Globus API docs:

After you create a project you will have to create a “Client ID” and fill in
some project details for the consent form that will be presented to the client.

Under “APIs & auth” go to “Credentials” and create a new Client ID. Probably
you will want a “Web application” Client ID. Provide your domain name or test
domain name in “Authorized JavaScript origins”. Finally fill in
http://127.0.0.1:8000/accounts/google/login/callback/ in the
“Authorized redirect URI” field. You can fill multiple URLs, one for each test
domain. After creating the Client ID you will find all details for the Django
configuration on this page.

Users that login using the app will be presented a consent form. For this to
work additional information is required. Under “APIs & auth” go to
“Consent screen” and at least provide an email and product name.

By default, r_emailaddress scope is required depending on whether or
not SOCIALACCOUNT_QUERY_EMAIL is enabled.

Note: if you are experiencing issues where it seems as if the scope has no
effect you may be using an old LinkedIn app that is not scope enabled.
Please refer to
https://developer.linkedin.com/forum/when-will-old-apps-have-scope-parameter-enabled
for more background information.

Furthermore, we have experienced trouble upgrading from OAuth 1.0 to OAuth 2.0
using the same app. Attempting to do so resulted in a weird error message when
fetching the access token:

MailChimp has a simple API for working with your own data and a good library
already exists for this use. However, to allow other MailChimp users to use an
app you develop, the OAuth2 API allows those users to give or revoke access
without creating a key themselves.

Login via https://login.mailchimp.com/, which will redirect you to
https://usX.admin.mailchimp.com/ where the prefix usX (X is an
integer) is the subdomain you need to connect to. Click on your username in the
top right corner and select Profile. On the next page select Extras then
click API keys, which should lead you to:

Note the requirement of https. If you would like to test OAuth2
authentication locally before deploying a default django project will raise
errors because development mode does not support https. One means of
circumventing this is to install django-extensions:

pipinstalldjango-extensions

add it to your INSTALLED_APPS

INSTALLED_APPS=(...'django_extensions',...)

and then run:

./manage.pyrunserver_plus--certcert

which should allow you to test locally via https://127.0.0.1:8000. Some
browsers may require enabling this on localhost and not support by default and
ask for permission.

The OpenID provider does not require any settings per se. However, a typical
OpenID login page presents the user with a predefined list of OpenID providers
and allows the user to input their own OpenID identity URL in case their
provider is not listed by default. The list of providers displayed by the
builtin templates can be configured as follows:

The ORCID provider should work out of the box provided that you are using the
Production ORCID registry and the public API. In other settings, you will need
to define the API you are using in your site’s settings, as follows:

SOCIALACCOUNT_PROVIDERS={'orcid':{# Base domain of the API. Default value: 'orcid.org', for the production API'BASE_DOMAIN':'sandbox.orcid.org',# for the sandbox API# Member API or Public API? Default: False (for the public API)'MEMBER_API':True,# for the member API}}

By default, access to Reddit is temporary. You can specify the duration
auth parameter to make it permanent.

You can optionally specify additional permissions to use. If no SCOPE
value is set, the Reddit provider will use identity by default.

In addition, you should override your user agent to comply with Reddit’s API
rules, and specify something in the format
<platform>:<appID>:<versionstring>(by/u/<redditusername>). Otherwise,
you will risk additional rate limiting in your application.

The Shopify provider requires a shop parameter to login. For
example, for a shop petstore.myshopify.com, use this:

/accounts/shopify/login/?shop=petstore

You can create login URLs like these as follows:

{%provider_login_url"shopify"shop="petstore"%}

For setting up authentication in your app, use this url as your AppURL
(if your server runs at localhost:8000):

http://localhost:8000/accounts/shopify/login/

And set RedirectionURL to:

http://localhost:8000/accounts/shopify/login/callback/

Embedded Apps

If your Shopify app is embedded you will want to tell allauth to do the required JS (rather than server) redirect.:

SOCIALACCOUNT_PROVIDERS={'shopify':{'IS_EMBEDDED':True,}}

Note that there is more an embedded app creator must do in order to have a page work as an iFrame within
Shopify (building the x_frame_exempt landing page, handing session expiration, etc…).
However that functionality is outside the scope of django-allauth.

Online/per-user access mode
Shopify has two access modes, offline (the default) and online/per-user. Enabling ‘online’ access will
cause all-auth to tie the logged in Shopify user to the all-auth account (rather than the shop as a whole).:

Register your OAuth2 app over at http://stackapps.com/apps/oauth/register.
Do not enable “Client Side Flow”. For local development you can simply use
“localhost” for the OAuth domain.

As for all providers, provider specific data is stored in
SocialAccount.extra_data. For Stack Exchange we need to choose what data to
store there by choosing the Stack Exchange site (e.g. Stack Overflow, or
Server Fault). This can be controlled by means of the SITE setting:

The second part of setting up the Twitter provider requires you to configure
your Django application. Configuration is done by creating a Socialapp object
in the admin. Add a social app on the admin page:

/admin/socialaccount/socialapp/

Use the twitter keys tab of your application to fill in the form. It’s located:

Microsoft calls the “client_id” an “Application Id” and it is a UUID. Also,
the “client_secret” is not created by default, you must edit the application
after it is created, then click “Generate New Password” to create it.

Register your OAuth2 app over at http://open.weibo.com/apps. Unfortunately,
Weibo does not allow for specifying a port number in the authorization
callback URL. So for development purposes you have to use a callback url of
the form http://127.0.0.1/accounts/weibo/login/callback/ and run
runserver127.0.0.1:80.

Weixin supports two kinds of oauth2 authorization, one for open platform and
one for media platform, AUTHORIZE_URL is the only difference between them, you
can specify AUTHORIZE_URL in setting, If no AUTHORIZE_URL value is set
will support open platform by default, which value is
https://open.weixin.qq.com/connect/qrconnect.

You can optionally specify additional scope to use. If no SCOPE value
is set, will use snsapi_login by default(for Open Platform Account, need
registration). Other SCOPE options are: snsapi_base, snsapi_userinfo.